CISA Directs Federal Agencies to Secure Splunk Enterprise Systems by Sunday

CISA has placed a high-severity Splunk Enterprise vulnerability on its Known Exploited Vulnerabilities catalog following reports of active exploitation and instructed Federal Civilian Executive Branch agencies to apply fixes no later than June 21.

CISA mandates patching for CVE-2026-20253 by Sunday. The agency determined that attackers are actively abusing the flaw and directed FCEB agencies to remediate it by Sunday under Binding Operational Directive 26-04. This represents the first Splunk entry added to the KEV catalog.

The directive calls on agencies to prioritize remediation according to each vulnerability's exploitation risk. CISA stated this type of flaw is a frequent attack vector for malicious cyber actors and poses significant risks to the federal enterprise. Agencies must evaluate each asset's internet exposure and ensure compliance with BOD 26-04 guidelines.

The vulnerability allows unauthenticated remote file operations. Tracked as CVE-2026-20253, it affects Splunk Enterprise versions 10.2.0 to 10.2.3 and 10.0.0 to 10.0.6. It stems from the PostgreSQL sidecar service endpoint lacking authentication controls, enabling any network-reachable user to create or truncate arbitrary files without credentials.

"The vulnerability exists because the PostgreSQL sidecar service endpoint lacks authentication controls, allowing any network-reachable user to invoke file operations without credentials," the Splunk security team said in a security advisory published last week. Security researchers also noted the flaw can enable unauthenticated remote code execution. Fixes were issued on June 10 for versions 10.2 before 10.2.4 and 10.0 before 10.0.7.

Exploitation details surfaced rapidly after initial disclosure. Splunk issued patches shortly before WatchTowr released a technical analysis along with proof-of-concept exploit code and alerts about remote code execution attacks on June 12. On June 18 the company revised its advisory after learning of limited exploitation occurring in June 2026 and called for prompt upgrades to corrected releases.

Shadowserver tracks more than 1,400 internet-exposed Splunk instances, with 952 located in North America and 223 in Europe. No data exists on how many of those instances remain vulnerable to the ongoing attacks.

Mitigation options exist for systems that cannot be patched immediately. Splunk recommends disabling the PostgreSQL sidecar service to eliminate the attack surface. Administrators should note that this action breaks Edge Processor, OpAmp, or SPL2 data pipelines on affected instances. The agency and vendor continue to emphasize rapid remediation to limit exposure.